Explore innovative strategies for detecting and mitigating malware at the DNS and IP level in this Black Hat conference talk. Dive into advanced techniques for tracking botnets, including fast flux and DGA-based methods, using graph clustering and DNS traffic analysis. Learn about unconventional approaches to IP reputation that combine AS graph topology analysis with granular IP range investigations. Discover how to preemptively detect and block malicious IP infrastructures, closing the detection gap against evolving threats. Experience the power of 3D visualization in malware analysis, with demonstrations of GPU-accelerated force-directed algorithms and OpenGL ES rendering. Gain insights into real-world "war stories" of hunting down malware domains and rogue IP spaces, and explore practical tools for gathering predictive threat intelligence.
Overview
Syllabus
Introduction
Welcome
Agenda
Current Climate
Investigation Process
What is Fast Flux
Fast Flux Proxy Network
Zeus
CNC domains
Methods
Workflow
Semantic Library
Data Extraction
Citadel Examples
Botnet Examples
What is Pony
Passwords
Applications
Stats
Clients
IP Style
OVH Canada
OVH Ukraine
OVH Russia
Nuclear Exploited Domains
Prediction for Fight Protection
How we did it
Interest
Fingerprinting
Same server setup
Growing trend
OVH
Rope
Electric Kitten
Police
English dictionaries
ASN graph
Understanding the internet
The IT Crowd
The Internet
Why do we do this
OpenCL view
Cluster view
Network geek
Network connectivity
Investigation
Conclusions
Visual approach
Detect
Summary
BGP Outages
ISP Outages
Autonomous Systems
In Conclusion
Taught by
Black Hat
